On Fri, Oct 07, 2016 at 09:30:35AM -0400, Rob Crittenden wrote:
> Alessandro De Maria wrote:
> > Hello,
> > I am running the following command to create a certificate for etcd
> > ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt",
> > "-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zzzzzz", "-D",
> > "dock07.prod.zzzz", "-A", "10.0.1.67", "-K", "etcd/dock07.prod.zzzz"
> > ca-error: Server at https://id1.prod.zzzzzz/ipa/xml denied our
> > request, giving up: 2100 (RPC failed at server. Insufficient
> > access: Subject alt name type IP Address is forbidden).
> > I believe FreeIPA does not currently support IPs as the SAN of a
> > certificate.
> > Is this still the case? is there a workaroud?
> Still the case (and not likely to change AFAIK) and the only workaround is
> in code.
There have occasionally been discussions about this. It might be
possible in the future, if we implement an extensible cert request
authorisation mechanism. Won't happen anytime soon, though.
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project